Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.

Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.

Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):

We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.

Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.

Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.

It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation, here.

How to avoid getting your information stolen via wireless connections

Yesterday, I wrote about how the FBI is warning us that personal details can be stolen (i-jacked) when using public computers. This occurs using crimeware, previously installed on a public computer, logs the keys you are stroking and sends the information (electronically) to criminals.

It can be dangerous to look at any of your online financial information on these (public access) machines.

When writing about this phenomenon, I remembered that even using your personal computer at a public place with a wireless connection can expose a person's personal and sometimes, financial details.

Just the other day, Martin Bosworth, over at Consumer Affairs, wrote an excellent piece covering this danger, where he stated:

Sending unencrypted information over any unfamiliar network can turn your computer into an open book -- with pages full of your personal information.

Many of these connections are appear to be legitimate connections because they are spoofed (camouflaged to appear as if they are a trusted connection).

Spoofing a connection, or site isn't very hard to do. They simply copy and transpose pictures and statements (words) from legitimate sites to their own. The Artists Against website has a portal, where you can see fake websites that are up and running on the Internet, here.

Martin's article contains some excellent tips on how to navigate the murky waters of public hot spots, safely.

They can be viewed, here.

Interestingly enough, wireless technology, isn't only used to compromise individuals. In the recent TJX data breach, where some are saying 200 million records were stolen since 2003, reports are saying the data was stolen, using wireless technology.

It's being reported that this was accomplished from a car with a laptop. Driving around with a laptop, using other people's wireless connections, is sometimes referred to as "war-driving," which is my new word for the day.

Joseph Pereira (Wall Street Journal) wrote about this (courtesy of the Northwest Florida Daily News), here.

TSA loses 100,000 employee records and discloses the matter, immediately

For the first time, I can remember a data-breach is being reported the day after it was discovered by an agency entrusted to protect and serve the public at large. Here is part of the press release from the Transportation Security Agency (TSA):

Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation.

Of note, the information compromised here is everything an identity thief would need to completely assume another person's identity, sometimes referred to in carder forums as a "full."

Carder forums (chatrooms) are where a lot of stolen personal and financial information is sold, right over the Internet.

Their press release on this unfortunate matter states they have extensive data protection protocols, which I would hope include the fact that the data (stored on a portable device) was encrypted.

I'm sure some are going to try to bash TSA for this incident, however I am going to take a different stance, which is they appear to be handling the matter a lot more responsibly than many organizations that have breached, recently. In my humble opinion, the TSA is taking this seriously and handling this matter the best way possible. Data breaches embarrass a lot of organizations -- too many of them would rather avoid the negative publicity -- instead of doing the right thing to protect their (in this case OUR) most valuable asset, people.

I'm not thrilled with this data breach -- or that information continues to be left where it shouldn't be -- but disclosure (being more honest) goes a long way towards fixing the overall problem.

Recently, a TSA employee caught a culprit with 43 different driver's licenses and a lot of bogus payment devices. We need to remember that the people compromised by this, protect all of us!

I really liked their statement about what they intend to do about it - if wrongdoing is discovered:

TSA has extensive data protections protocols and training in place for its employees regarding data privacy. TSA has zero tolerance for employees not following policies on data protection and will take swift disciplinary action, including dismissal, against individuals found to be in violation of our procedures.

I'm not able to comment on TSA's data privacy procedures (never seen them), but one person with access, who violates any data privacy procedure can do a lot of damage.

If anyone knows something about this data-breach, information can be submitted to the FBI (investigating agency), here.

Data breaches have happened at a lot of places. If you are interested in reading more about them and where they occurred, the Privacy Rights Clearinghouse maintains a chronology, here.

A lot of data breaches occur when information is stored on portable (easily stolen) devices. Some claim that even if encryption is present on the device, the wrong person can still (sometimes) access the information.

The full press release can be read, here. They also link to the new government site on identity theft (worth a read if you haven't seen it yet), here.

You never know who might be selling hot merchandise on eBay

Normally, I avoid writing about petty crime, but this one is too good to pass up.

From SF Gate:

A Hillsboro mother found her daughter's missing winter coat on eBay, and now a teacher at the girl's elementary school faces charges of theft and computer crimes.

The teacher, who was placed on administrative leave pending the outcome of her trial, claims she found the jacket in the lost and found.

Of course, Mom claims she had already checked there!

With all the alleged fencing that occurs on auction sites, this person is either very unlucky, or doesn't cover her tracks very well. I would have to recommend, she sticks with teaching elementary students.

A couple of days ago, I wrote about what might happen to credit cards and identification left haphazardly in a lost and found:

Airline employees and correctional officer arrested for credit card fraud

Full story from SF Gate, here.

FBI warns of banking details being i-jacked (stolen) at Internet cafes and hotel business centers

It could be pretty expensive to check your online banking assets at Internet cafes, or at the public computer in a hotel's business center.

Here is an interesting article by Robert Schmidt at Bloomberg.com, quoting FBI sources, where he says:

Tens of millions of dollars have been looted from online brokerage accounts in a fast-growing fraud that targets unsuspecting hotel guests and Internet cafe patrons, Federal Bureau of Investigation officials say.

The way this is done isn't new, the crooks simply install keylogging software on these public machines. As I've written before, keylogging software (itself) is legal and can be purchased by anyone over the Internet. Some of the legal (marketing) justifications are to spy on employees, spouses and your children.

Oh I forgot, they are also used by private investigators, like the ones busted in the recent HP scandal.

Keyloggers are often dropped (installed) on computers via spam e-mails, when an unsuspecting person clicks on the wrong link, also. According to the Anti-Phishing Working Group, the use of them is growing, rapidly. February set an all time record for this type of activity, according to their monthly report.

Although keyloggers are legal, when used by criminals to steal personal and financial information, we refer to them as crimeware (go figure)?

To read the full article at Bloomberg.com, click here.

I wonder if the FBI's job would be easier if laws were enacted to stop certain companies from enabling this growing problem?

Airline employees and correctional officer arrested for credit card fraud

A lot of payment (credit/debit) card fraud is caused by dishonest employees, who skim the information from cards; or might even simply forget to return them to you. And when they "forget" to return them, it might be intentional!

The New York City District Attorney's Office announced:

Manhattan District Attorney Robert M. Morgenthau announced today the arrest of four JetBlue employees and a New York City Department of Corrections Officer for the unauthorized use of credit cards from Jet Blue customers.

Press release, here.

Pretty scary, that Jet Blue (airline) personnel and a correctional officer, who should be people that can be trusted, seem to have given a black eye to their professions.

I saw this story the day after I had to go back to a Del Taco, who failed to return my card to me. After going to considerable trouble to get my card back (which I should probably cancel), I was amazed that no one apologized to me for what had occurred.

They even charged me for the ice tea, I ordered when returning to get the card.

On a more serious note, businesses should always make sure lost payment devices and identification are properly secured. They should only be maintained for a short period of time, then destroyed to prevent someone compromising (using) them.

Many people would be shocked at how often these lost and found items are maintained (sometimes for years) in not very secure places, such as an unlocked drawer.

At least, the Del Taco manager did make me show ID to get my card back, but she didn't do very much to make me rave about their customer service. A kind, or sympathetic word can do a lot of smooth out an unfortunate situation, like this one!

So far as restaurant employees involved in credit card fraud, a lot has been written about this, recently.

Here is my version of what a lot of people have been writing about:

Why it's become TOO easy for restaurant workers to skim payment cards

Please note, it's probably not fair to single out restaurant workers, this can occur at any business that accepts plastic, or even checks.

Washington Post exposes another reason why Katrina victims are still suffering

The hurricane disasters, and their commentary on social issues, continue to amaze me. To me, the rest of the world can learn a lot by studying the ongoing problems related to the disaster.

The amount of money wasted, or lost to fraud (over a billion and growing) is a sad commentary, when a lot of the victims are still living in the now (infamous) FEMA trailers.

Now a new allegation is being brought forth, which is that $854 million in aid promised by our allies, wasn't even accepted. I find this pretty interesting as people are suffering nearly two years, afterwards?

Even more shameful was that expert search and rescue personnel, were turned down, immediately after the hurricane, when they probably would have been extremely helpful:

And while television sets worldwide showed images of New Orleans residents begging to be rescued from rooftops as floodwaters rose, U.S. officials turned down countless offers of allied troops and search-and-rescue teams. The most common responses: "sent letter of thanks" and "will keep offer on hand," the new documents show.

This fact, given the problems in the initial response, amazes me.

Original Washington Post article, here.

I wonder how our allies, many of who have accepted similar aid from us in the past, felt when we turned their generous offers down?

More recently, the Post is reporting that Congress intends to look into this. The article regarding this can be read, here.

I'm not sure when the story on Katrina will be over. The bottom line is that there are still a lot of hurricane victims, who could use a helping hand. A good place to learn more about this is Margaret Saizan's site (Beyond Katrina), which can be seen, here.

Phishermen use call-forwarding scam to avoid detection when bank notes suspicious activity

Most of get a lot of phishy e-mails requesting personal and financial information from criminals pretending to be a trusted brand. Now they are adding a devious twist designed to beat fraud detection software, which is used by a lot of companies as a means to detect fraudulent transactions, early on.

Herb Weisbaum of KOMOTV.com (Seattle) reports:

The mass e-mail I saw claimed to be from Bank of America -- big banks are a prime target for these scams because they have so many customers.

The e-mail says, "During our regular update and verification we could not verify your current phone number. Either your information has been changed or it is incomplete.

"The message tells you to confirm your phone number right away “or your account will be suspended indefinitely.”

Not only are you supposed to give them you phone number, you're instructed to forward your calls to the Bank of America Security Department, and they give you that number.

Herb's full story, here.

When the institution notes suspicious activity and calls, the now forwarded call goes to the scammer, who assures them "all is well."

Call-forwarding being used to defraud people isn't exactly new, but this is a new twist. In the past, scammers have called the telephone company and told them that a business line was having problems, then instructed them to forward the call to another number (theirs). This is normally done to businesses, who accept payment information over the telephone.

Of course, the goods, or services are never received and the information is later used for criminal purposes, or to steal money.

This practice is enabled by telephone companies not verifying (authenticating) information when a call forwarding request is placed. Most telephone companies allow the owner of a line to protect it with a password, however unless the owner does so, they are open to this sort of attack.

It's probably a good idea (especially for businesses) to have a password placed on their account!

Consumer Affairs wrote about another variation of the call-forwarding scam -- which is designed to charge the victim for long distance calls (possibly used by fraudsters, or even inmates to commit crimes) -- where the victim is tricked into call-forwarding their number.

Note that the command for call forwarding at most telephone companies is "72#" or "*72," then the telephone number. The inmate or fraudster will normally pose as a telephone tech, who tells you there is a problem with the line. Call-forwarding can be disabled by entering "72#" or "*72."

Please note, at some businesses, the command is "90#".

This scam is frequently used by prisoners in correctional institutions to make free calls and targets both personal and business lines. Another good reason for businesses to password protect their telephone account and consider disabling call forwarding. Most telephone companies charge extra for this service, anyway.

Consumer Affairs story, here.